Wachtell, Lipton, Rosen & Katz 


July 17, 2019 


Why Compliance (Still) Matters 


We and many other observers have noted the significant drop over the 
past two years in both the number of white-collar prosecutions and the scale of 
corporate fines and penalties. In such an environment, companies might be 
tempted to think that having an effective compliance program is less urgent and 
less important than in the past. Our experience suggests that succumbing to such 
temptation would be a mistake. In fact, now is arguably the best time for 
corporations to continue investing in their compliance programs to ensure they 
have in place an effective and comprehensive set of compliance policies, 
procedures and internal controls. 

Four important developments support this view: 

First, the Department of Justice and other law enforcement 
authorities—through various policy pronouncements and speeches over the past 18 
months—^have made their white-collar decision-making process more transparent. 
Law enforcement authorities have clarified what they expect to see in a well- 
maintained corporate compliance regime and how the presence (or absence) of 
those elements will be weighed when determining critical components of corporate 
resolutions, such as the type of disposition they will seek, the scale and nature of 
financial penalties, and other remedial measures, including monitors, that may be 
imposed. {See our 2018 Year-End Memo) Indeed, just last week, DOJ’s Antitrust 
Division announced a new policy that empowers prosecutors, when making 
charging decisions, to give credit to companies for having effective antitrust 
compliance programs, noting that the Division “is committed to rewarding 
corporate efforts to invest in and instill a culture of compliance.” Put simply, the 
“carrot” being offered by law enforcement to encourage compliance and 
cooperation is bigger than ever, but so is the “stick” used when companies fall 
short of these governmental expectations. 

Second, the record of corporate dispositions over the past two years 
illustrates the dramatic differences in how the government rewards on the one 
hand, and punishes on the other, the range of corporate responses to underlying 
misconduct. For example, in Cognizant Technology Solutions Corp. (Feb. 13, 
2019), DOJ declined to take any criminal enforcement action against the company 
“notwithstanding that the [FCPA] misconduct reached the highest levels of the 
company,” because the company “voluntarily self-disclosed the conduct within 


If your address changes or if you do not wish to continue receiving these memos, 
please send an e-mail to Publications @ wlrk. com or call 212-403-1443. 


3488343 







Wachtell, Lipton, Rosen & Katz 


two weeks of when the board learned of it,” and, as a result, DOJ was able to 
develop criminal cases against individual executives. Similarly, in Walmart Inc. 
(June 20, 2019), despite an extensive record of wrongdoing and a failure to initially 
self-report misconduct in a Mexican subsidiary, the Walmart parent was able to 
secure a non-prosecution agreement . This result was due in large part to the 
company’s extensive and proactive cooperation, and its adoption of substantial 
remedial measures, including the hiring of a global chief ethics and compliance 
officer, with direct reporting to the board’s Audit Committee, a wide array of anti¬ 
corruption monitoring measures, enhanced internal controls, expanded training and 
the termination of relationships with third parties involved in corrupt activities. 

Conversely, in Rabobank N.A. (Feb. 7, 2018), DOJ insisted upon a 
corporate guilty plea for Bank Secrecy Act and AML violations because the bank 
had implemented a flawed BSA/AML program that precluded appropriate 
investigation of suspicious transactions, and senior executives actively obstructed 
an initial OCC examination of the bank, submitted false and misleading 
information about its BSA/AML program, and demoted or terminated employees 
who were raising questions about the adequacy of the bank’s compliance program. 
Similarly, though somewhat less dramatically than in the Rabobank case, in HSBC 
Holding pic (Jan. 18, 2018), DOJ required a deferred prosecution agreement 
principally because the bank’s initial efforts to cooperate were deficient in several 
respects and it did not voluntarily and timely disclose the underlying misconduct. 
And according to recent media reports, the Federal Trade Commission has 
approved a $5 billion penalty against Facebook for violating a 2012 consent decree 
that required, among other things, implementation of a comprehensive consumer 
privacy compliance program. 

Third, DOJ recently issued an extensive memorandum providing 
guidance regarding its specific expectations concerning corporate compliance 
programs, cooperation, remediation and restitution. The guidance highlights that 
prosecutors may “reward” efforts to improve compliance through a more favorable 
form of resolution or a reduced penalty. And in a speech announcing the guidance, 
the Assistant Attorney General for DOJ’s Criminal Division emphasized that 
implementation of an effective compliance program is a precondition to eligibility 
for a declination under DOJ’s FCPA Corporate Enforcement Policy. {See our prior 
memo here) 


The DOJ guidance runs to 18 pages, and we will not try here to 
summarize all of what it covers. However, in our view, the central takeaways 
include: 


- 2 - 








Wachtell, Lipton, Rosen & Katz 


• developing a comprehensive inventory of the legal, regulatory and 
reputational risks entailed in running the company’s various 
business lines; 

• periodically refreshing and updating this inventory as the 
company’s businesses, sales/marketing practices, markets, 
geographic scope and customer base evolve over time; 

• designing a compliance program that is dynamic and carefully 
tailored to address these evolving risks and that is periodically re¬ 
assessed and enhanced as necessary, based on up-to-date metrics 
and data, to take account of material changes in the company’s 
legal, regulatory and reputational risk profile; 

• taking steps to ensure that the company’s compliance program is 
properly “operationalized” at the level of day-to-day business 
activities where issues often arise, including by making sure that 
the right “tone at the top” translates into the right “tone on the 
ground,” and instituting well-considered training and educational 
programs aimed at the right audiences and using the right tools; 
and 

• ensuring adequate board and senior management involvement, 
both in terms of assuring they are appropriately informed about 
risks entailed in the enterprise and mitigation measures being 
deployed to address those risks, and also that the board is given 
adequate opportunities to pressure test those measures through 
periodic updates and time for follow-up inquiry. 

Fourth, a final reason for continued focus on compliance is that, in 
recent years, both foreign governments and state attorneys general have become far 
more active than in the past and now seek more aggressively to bring cases, either 
alongside U.S. authorities or even in situations where federal authorities have 
chosen not to act. At the same time, as we explained earlier this year, foreign 
governments are increasingly adopting corporate dispositions modelled on U.S. 
NPAs and DPAs, and expressly recognize that credit is being given for companies 
having effective compliance regimes, adopting appropriate remedial measures, and 
providing substantial, valuable cooperation. Some foreign countries also have 
enacted affirmative defenses that would exonerate companies able to demonstrate 
they had a well-designed compliance program at the time of the alleged 
wrongdoing. Likewise, having put in place a comprehensive and well-designed 


- 3 - 



Wachtell, Lipton, Rosen & Katz 


compliance program will redound to any company’s benefit when responding to a 
state attorney general investigation. 

For all of these reasons, it is wise to invest in designing, 
implementing, and periodically refreshing and reorienting a robust compliance 
program. In our experience, effective compliance programs provide a real 
opportunity to prevent misconduct from arising in the first place or nipping 
potential legal and compliance issues in the bud before they blossom into a full¬ 
blown corporate crisis. And should misconduct occur, an effective compliance 
program that enables early detection and timely remediation of misconduct will 
best position a company to achieve a more favorable resolution at the close of any 
resulting investigation. 


John F. Savarese 
Ralph M. Levene 
David B. Anders 
Marshall L. Miller 


- 4 - 



